AI tools are in your business whether IT approved them or not. Your staff are using ChatGPT, Claude, Gemini, and the AI features built into the tools they already subscribe to, sometimes with your client data, sometimes without realising the risk. A policy doesn't stop people from using AI. It tells them what they can use it for, what data they can share with it, and what requires human oversight. Here is a working template to adapt.
Version: 1.0 | Effective date: [Date] | Owner: [Privacy Officer / Operations Lead]
Section 1: Purpose and Scope
This policy governs the use of artificial intelligence tools by [Business Name] employees, contractors, and any other persons accessing company systems. It applies to:
- Public AI services, ChatGPT, Claude, Gemini, Perplexity, and similar consumer or enterprise services where you submit content to a third-party system.
- Embedded AI in existing tools, Microsoft Copilot in M365, AI features in your CRM, Grammarly, and similar tools embedded in software you already use.
- Custom AI, Any AI system built or commissioned specifically for this business.
All three categories are in scope. Different rules apply to each.
Section 2: Data Classification
Before using any AI tool, classify the data you intend to input:
| Class | Definition | Examples |
|---|---|---|
| Public | Information we'd publish on our website | Marketing copy, published pricing, general FAQs |
| Internal | Not public, but not sensitive | Meeting notes about internal projects, draft schedules |
| Confidential | Client data, financial data, business IP | Client records, contracts, financial statements |
| Restricted | Regulated personal data, legally privileged information | Health data, data subject to PIPEDA/PIPA, legal advice |
Public AI services (consumer tier) may receive Public data only. Enterprise-tier AI services with a signed DPA may receive Internal and, where vendor controls are verified, Confidential data. Restricted data requires explicit approval from [Privacy Officer] before any AI processing.
Section 3: Approved Tools
| Tool | Approved data classes | Notes |
|---|---|---|
| Microsoft 365 Copilot (M365 Business/Enterprise) | Public, Internal, Confidential | Data stays in M365 tenant; DPA in place |
| [Other enterprise tool] | Public, Internal | Review DPA before adding Confidential data |
| ChatGPT (free/personal tier) | Public only | Do not enter client names, financials, or internal project details |
Adding a new AI tool: Before using a new AI tool for anything beyond Public data, submit a vendor assessment to [IT Contact]. Do not install browser extensions or integrations that access company systems without IT review.
Section 4: Human-in-the-Loop Requirements
AI can suggest. Humans approve. The following categories require documented human review before AI output is acted upon or sent externally:
- Customer-facing communications
- Financial calculations, quotes, or transactions
- Hiring decisions or performance assessments
- Legal positions or contract language
- Medical or safety-related advice
"Human review" means a qualified person reads the output, verifies it against available information, and takes ownership of the decision. Log the review.
Section 5: Output Verification
AI tools hallucinate, they generate plausible-sounding but incorrect information with no visible signal that they've done so. Any AI-generated output used in a client deliverable, regulatory submission, or public communication must be verified against a primary source before use.
Do not cite statistics, legal provisions, or technical specifications from AI output without verifying them independently.
Section 6: Vendor Due Diligence
Before adopting a paid AI tool for Confidential or Internal data, document:
- Does the vendor train on your data? (Confirm in their DPA, not their marketing page.)
- Where is data stored and processed? (For Canadian privacy compliance, Canadian or adequately protected storage is preferred.)
- What is their breach notification commitment?
- Do they hold SOC 2 Type II or equivalent?
- What is their data retention period?
Most consumer AI tools fail one or more of these. Most enterprise AI tools pass. Know which you're using.
Section 7: Training
All staff who use AI tools in their work will complete a 30-minute onboarding session covering this policy, approved tools, and data classification. This session will be repeated annually or when this policy is materially updated.
Section 8: Violations
Violations of this policy, including sharing Restricted or Confidential data with unapproved AI tools, will be treated as a data handling incident under our Incident Response Policy and may result in disciplinary action.
This template is a starting point. Have your legal adviser review it before publication, especially if your business is subject to PIPEDA, BC PIPA, health privacy legislation, or sector-specific regulations.
Talk to a Prince George-based IT team about implementing AI tools safely, call 672-983-1174 or book a free assessment at northstarit.ca.
Want this in your inbox?
We send a short monthly note with one cybersecurity or IT topic that BC business owners should know about. No sales pitch.
Get the monthly note Read more Insights